From 226049c7c2b492e87bc215e977763d8ee7a3f409 Mon Sep 17 00:00:00 2001 From: t0x01 Date: Wed, 5 Feb 2025 19:32:27 +0400 Subject: [PATCH] docs: Add ancestor binary export filter information Add information about new ancestor binary export filter to documentation. Signed-off-by: t0x01 --- api/v1/README.md | 1 + docs/content/en/docs/concepts/events.md | 3 ++- docs/content/en/docs/reference/grpc-api.md | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/api/v1/README.md b/api/v1/README.md index eebc443f12f..002f7cf647a 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -1454,6 +1454,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here. | parent_arguments_regex | [string](#string) | repeated | Filter by process.parent.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | container_id | [string](#string) | repeated | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | in_init_tree | [google.protobuf.BoolValue](#google-protobuf-BoolValue) | | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | +| ancestor_binary_regex | [string](#string) | repeated | Filter ancestor processes' binaries using RE2 regular expression syntax. | diff --git a/docs/content/en/docs/concepts/events.md b/docs/content/en/docs/concepts/events.md index 5e53958d9bc..f4292e7c281 100644 --- a/docs/content/en/docs/concepts/events.md +++ b/docs/content/en/docs/concepts/events.md @@ -166,8 +166,9 @@ flags, or environment variables. | `parent_arguments_regex` | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | `container_id` | Filter by parent process arguments using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | | `in_init_tree` | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | +| `ancestor_binary_regex` | Filter process events by a list of regular expressions of ancestor processes' binary names (e.g. `"^/home/kubernetes/bin/kubelet$"`). You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | -#### Field Filtering +#### Field Filtering In some cases, it is not desirable to include all of the fields exported in Tetragon events by default. In these cases, you can use field filters to diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md index c8792c8b1f6..02420908dfd 100644 --- a/docs/content/en/docs/reference/grpc-api.md +++ b/docs/content/en/docs/reference/grpc-api.md @@ -914,6 +914,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here. | parent_arguments_regex | [string](#string) | repeated | Filter by process.parent.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | container_id | [string](#string) | repeated | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | in_init_tree | [google.protobuf.BoolValue](#google-protobuf-BoolValue) | | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | +| ancestor_binary_regex | [string](#string) | repeated | Filter ancestor processes' binaries using RE2 regular expression syntax. |